Security experts uncovered a new version of Android malware “FAKESPY” that is stealing SMS messages, Applications’ data, and financial data from Android users all over the world. 

This is a type of phishing malware, and it’s an upgraded version of the FAKESPY android malware. This phishing campaign is targetting France, China, Switzerland, Taiwan, United Kingdom, Germany, and the United States. 

According to the Almkias report, this new version of FakeSpy is significantly more compelling in comparison to the earlier versions. It yields to grow rapidly, with new redundancies being published every week, as its developer’s code had a distinct evasion and obfuscation methods.

The most advanced version of the FakeSpy campaign has been discovered by cybersecurity experts at Cybereason; they claimed that the attacks are connected to ‘Roaming Mantis.’ This Chinese-speaking cybercriminal group that has already performed campaigns like this.

In a previous campaign, the mobile users were apprised by the phishing messages that contain the “delivery updates” with a fake website link that assists the users to download and install the FakeSpy APK on their device supposedly from a major transportation company of Japan, ‘Sagawa Express.’

Key Findings:

  • It’s a new malware that is the upgraded version of FAKESPY Android malware, and the Cybereason Nocturnus team is investigating this.
  • FAKESPY emerged in the year 2017, and it initially targetted speakers from Japan and South Korea.
  • According to the Cybereason experts, this malware is linked with “Roaming Mantis,” which is a Chinese-speaking group that had performed similar campaigns.
  • The FAKESPY acts as legitimate apps for postal services and transportation services so that they can gain the trust of all users.
  • The latest version of the FAKESPY is more potent in comparison to the previous one. 
  • It comes with different amazing features.
  • Once the user installs it, the app asks permission so that it can easily control the SMS messages and steal delicate data of the device.

Stealing Sensitive Information

The new version of FAKESPY malware steals sensitive information as it has multiple built-in information-stealing abilities. This malware has a first function that is used for contact data-stealing; it has another feature known as upCon it uses to steals all contacts in the contact list and their data.

Once it has done, after that, it transfers it to the C2 server using the URL that concludes with /servlet/ContactUpload. Well, the basic sensitive data that the FAKESPY steals are Mobile number, contacts as it is used by the attackers to distinguish between the type of data stolen, and the name of the users.

Companies Masquerade by The FakeSpy Malware

  • United States Postal Service
  • La Poste
  • Yamato Transport
  • Swiss Post
  • Deutsche Post
  • Royal Mail
  • Japan Post
  • Chunghwa Post

Who is Behind Fakespy’s Smishing Campaigns?

Nocturnus, this malware are linked with some “Roaming Mantis” Chinese speaking hacking group that deals with similar campaigns. Therefore they are suspecting the Chinese operators. 

Roaming Mantis is considered to be a Chinese cybercriminal group that was emerged in the year 2018. And in this phishing campaign, the hackers are sending fake text messages – usually a warning of a held package or missed delivery. 

That attracts the victims into clicking on an ill-disposed link, which directs them to download an Android application set that indicates to be a download of the sender’s app, but in reality, it contains FakeSpy malware.

The authors of this malware, FakeSpy, continually putting their best to evolve and improve this malware. And their effort made the FakeSpy malware as one of the most powerful information stealers on the internet.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read :

Try2Cry – A .NET Ransomware Attack Windows Users and Lock The Files via USB Flash Drive

New Ransomware “EvilQuest” Attacking macOS Users to Encrypts Users Files

Most Ransomware Attacks Take Place in the Night or During Weekends

Xerox Corporation Hacked by Maze Ransomware Operators – Sensitive Files are Encrypted

Maze Ransomware Operators Hacked Highways Authority Of India (NHAI)

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.